
PEACH
Un framework di isolamento del tenant
CVE-2026-59203 is a denial-of-service vulnerability in Pillow's EPS image parser that allows an unauthenticated attacker to cause an infinite loop by supplying a crafted EPS file with a negative byte count in the %%BeginBinary directive. It affects Pillow versions 12.0.0 through 12.2.0 (inclusive), and was fixed in version 12.3.0. The vulnerability was published on July 14, 2026, with the fix merged on June 22, 2026. It carries a CVSS v3.1 base score of 7.5 (High) per NVD, or 5.3 (Medium) per the GitHub Security Advisory (GitHub Advisory).
The root cause is a missing non-negativity check on the byte count parsed from the %%BeginBinary: directive in PIL/EpsImagePlugin.py (CWE-835: Loop with Unreachable Exit Condition). When Pillow reads the byte count, it passes the value directly to self.fp.seek(bytecount, os.SEEK_CUR) without validating that it is non-negative. A crafted EPS file containing %%BeginBinary:-18 causes the file pointer to seek backwards to the same directive line, which is then re-parsed indefinitely. The loop is triggered during Image.open() alone — it does not require Image.load() or Ghostscript execution — making it exploitable in any code path that opens or validates EPS files. The fix (PR #9708, commit 0399261) adds a check that raises a ValueError with the message "BeginBinary bytecount cannot be negative" if the parsed value is less than zero (GitHub Advisory, Fix Commit).
Successful exploitation causes the affected Python process to hang indefinitely in an infinite loop, consuming 100% CPU and rendering the application unresponsive — a complete availability denial of service. There is no impact on confidentiality or integrity. Web services, API backends, and batch image processing pipelines that accept user-supplied EPS files and pass them to Image.open() are particularly at risk, especially if image parsing runs in a main worker process without CPU time limits, timeouts, or process isolation (GitHub Advisory).
pillow_eps_beginbinary_dos.eps with the following content:%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: 0 0 1 1
%%EndComments
% dummy comment after transition
%%BeginBinary:-18
%%EOFThe key payload is %%BeginBinary:-18, which specifies a negative byte count of -18.
Identify a vulnerable target: Locate an application or service using Pillow 12.0.0–12.2.0 that accepts EPS image uploads or processes user-supplied image files (e.g., image validation endpoints, thumbnail generators, document converters).
Deliver the malicious file: Submit the crafted EPS file to the target application via its file upload interface, API endpoint, or any other mechanism that causes the application to call Image.open() on the file.
Trigger the infinite loop: When the application calls Image.open("pillow_eps_beginbinary_dos.eps"), the EPS parser reads %%BeginBinary:-18, seeks the file pointer backwards by 18 bytes to the same directive, and re-parses it indefinitely. The process hangs and consumes 100% CPU, causing a denial of service (GitHub Advisory).
Image.open() calls on EPS files.%%BeginBinary:- followed by a negative integer in upload directories or temporary processing folders.The primary remediation is to upgrade Pillow to version 12.3.0 or later, which raises a ValueError for negative %%BeginBinary byte counts (Pillow Release 12.3.0). If immediate patching is not possible, restrict or block processing of EPS files from untrusted sources, implement file type validation before passing files to Image.open(), and enforce CPU time limits or process timeouts on image parsing workers to bound the impact of exploitation (GitHub Advisory).
Fonte: Questo report è stato generato utilizzando l'intelligenza artificiale
Valutazione gratuita delle vulnerabilità
Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.
Richiedi una demo personalizzata
"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."